From: Takashi Iwai <tiwai@suse.de>
To: Kun Hu <huk23@m.fudan.edu.cn>
Cc: perex@perex.cz, tiwai@suse.com, linux-sound@vger.kernel.org,
linux-kernel@vger.kernel.org,
"jjtan24@m.fudan.edu.cn" <jjtan24@m.fudan.edu.cn>
Subject: Re: Bug: slab-out-of-bounds in snd_seq_oss_synth_sysex
Date: Sun, 29 Dec 2024 11:45:49 +0100 [thread overview]
Message-ID: <87ed1qydgi.wl-tiwai@suse.de> (raw)
In-Reply-To: <B1CA9370-9EFE-4854-B8F7-435E0B9276C6@m.fudan.edu.cn>
On Wed, 25 Dec 2024 06:37:47 +0100,
Kun Hu wrote:
>
> Hello,
>
> > BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
>
> We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c.
> The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte).
> To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop:
>
> if (sysex->len >= MAX_SYSEX_BUFLEN) {
> sysex->len = 0;
> sysex->skip = 1;
> return -EINVAL; /* Exit early if sysex->len is out of bounds */
> }
The only place incrementing sysex->len is that loop and it has already
the bounce check which resets sysex->len to 0. That is, the likely
reason of the buffer overflow is rather the racy calls of this
function.
If so, a potential fix would be rather to protect the concurrency,
e.g. a simplest form is something like below.
Could you check whether it addresses your problem?
thanks,
Takashi
-- 8< --
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -66,6 +66,7 @@ static struct seq_oss_synth midi_synth_dev = {
};
static DEFINE_SPINLOCK(register_lock);
+static DEFINE_MUTEX(sysex_mutex);
/*
* prototypes
@@ -497,6 +498,7 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
if (!info)
return -ENXIO;
+ guard(mutex)(&sysex_mutex);
sysex = info->sysex;
if (sysex == NULL) {
sysex = kzalloc(sizeof(*sysex), GFP_KERNEL);
next prev parent reply other threads:[~2024-12-29 10:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-24 11:16 Bug: slab-out-of-bounds in snd_seq_oss_synth_sysex Kun Hu
2024-12-25 5:37 ` Kun Hu
2024-12-26 6:08 ` Kun Hu
2024-12-28 8:07 ` Kun Hu
2024-12-28 8:35 ` Takashi Iwai
2024-12-28 8:44 ` Kun Hu
2024-12-29 10:45 ` Takashi Iwai [this message]
2024-12-30 9:52 ` Kun Hu
[not found] ` <3326E7C2-1E4F-4F57-AAB5-065C20854F31@m.fudan.edu.cn>
2024-12-30 10:59 ` Takashi Iwai
2024-12-30 13:10 ` Kun Hu
2024-12-31 11:54 ` Takashi Iwai
2025-01-01 6:54 ` Kun Hu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ed1qydgi.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=huk23@m.fudan.edu.cn \
--cc=jjtan24@m.fudan.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.